Unfortunately, the distribution of Cobalt Strike is poorly documented, but it’s believed to be delivered using macros that come with an infected executable embedded in a phishing email. In ANY.RUN, users can study the config of CobaltStrike’s utility to better understand how it works. Besides the common type that uses an executable file, there are also versions that use powershell or JS to dominate the infected system. Not only are there lots of iterations of the client, but the program itself is frequently updated by the developers. The execution of CobaltStike varies greatly from sample to sample. How to get more information from Cobalt Strike malwareĪNY.RUN helps analysts track the execution process of Cobalt Strike in an interactive online sandbox.ĪNY.RUN users can access the analysis results 10 seconds after launching the sandbox, which saves crucial time, especially during incident response when every second matters.įigure 1: Cobalt Strike malware configuration Cobalt Strike execution process The payloads usually delivered by Cobalt Strike range from Ransomware to spyware and even Advanced Persistent Threats. What’s more, there are built-in modules that allow attackers to customize the payload to avoid detection: these include the Artifact Kit, Malleable C2 Profiles, and Resource Kit.Īlso, it’s important to note that since Cobalt Strike was originally designed for team exercises, the Team Server and Client modules allow criminal gangs to coordinate hacks with multiple attackers acting simultaneously, potentially targeting multiple weak spots. This feature is often used to deliver and run custom modules, and makes Cobalt Strike's malicious capabilities virtually limitless. It supports a wide list of malicious operations, and is designed to be configurable and expandable. The Beacon is the core binary which allows the attacker to control infected machines remotely. When an attacker infiltrates and injects one of the Stagers into the victim's network, they can contact the Team Server via HTTP/HTTPS, SMB, or DNS to fetch and install the main payload known as the Beacon. These fileless implants are available as VBA, Javascript and Powershell macro templates. Team Server can generate shellcode implants called Stagers. To access it, actors use a Client component which serves as the GUI for the Team Server. The central element of the software is the Team Server component - which acts as both the C2 server and a coordinating program that helps multiple adversaries work together and control hijacked devices. Cobalt Strike malware analysis reviewĬobalt Strike consists of multiple components, which together form a comprehensive hacking suit. Although most of them are somewhat outdated, they still pose a serious threat - many criminal groups use them to gain initial access and move laterally through victim’s networks. One can literally learn how to abuse it directly from its creators.Ĭracked Cobalt Strike versions are circulating freely in various underground forums and are sometimes found on clearnet resources, like GitHub. This, of course, lowers the entry threshold and contributes to the popularity of the software among bad actors. (The trial version of Cobalt Strike has many deliberate giveaways such as the EICAR string embedded in all payloads and a watermark.)īeing a legitimate tool, there is a ton of educational material online, which illustrates what Cobalt Strike can do. Most of these cracked versions were obtained by accessing a trial - which is only given to verified parties, but evidently, hackers found a way to skirt this - and bypass the license check and then trial restrictions. Despite several attempts to stop its abuse - by the developer and the online community - attackers continue to employ it to install multiple payloads after compromising their victims' networks. While the software itself is completely legal and designed for cybersecurity testing, over the years, many versions of it have been cracked and leaked into the wild. Cobalt Strike is a licensed penetration software package developed by Forta (previously Help Systems), that helps red teams simulate an adversary in red-vs-blue games.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |